It can be useful to perform simulated phishing attacks on a user or a set of users. A phishing attack involves an attempt to acquire sensitive information such as usernames, passwords, credit card details, etc., often for malicious reasons, possibly by masquerading as a trustworthy entity. For example, an email may be sent to a target, the email having an attachment that performs malicious actions when executed or a link to a webpage that either performs malicious actions when accessed or prompts the user to execute a malicious program. Malicious actions may be malicious data collection or actions harmful to the normal functioning of a device on which the email was activated, or any other malicious actions capable of being performed by a program or a set of programs. Simulated phishing attacks allow an organization to determine the level of vulnerability to phishing attacks of a user or set of users. This knowledge can be used by internet technology organizations to reduce this level of vulnerability through tools or training.